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Abstract. Designing and analysing multiparty distributed interactions can be 
achieved either by means of a global view (e.g. in choreography-based approaches) 
or by composing available computational entities (e.g. in service orchestration). 
This paper proposes a typing systems which allows, under some conditions, to 
synthesise a choreography (i.e. a multiparty global type) from a set of local ses- 
sion types which describe end-point behaviours (i.e. local types). 

1 Introduction 

Communication-centred applications are paramount in the design and implementation 
of modern distributed systems such as those in service-oriented or cloud computing. 
Session types [8] and their multiparty variants [7, 9] offer an effective formal framework 
for designing, analysing, and implementing this class of applications. Those theories 
feature rather appealing methodologies that consists of (i) designing a global view of 
the interactions - aka global type -, (ii) effective analysis of such a global view, (Hi) 
automatic projection of the global view to local end-points - aka local types -, and (iv) 
type checking end-point code against local types. Such theories guarantee that, when 
the global view enjoys suitable properties (phase (if)), the end-points typable with local 
types enjoy e.g., liveness properties like progress. 

A drawback of such approaches is that they cannot be applied when the local types 
describing the communication patterns of end-points are not obtained by an a priori 
designed global view. For instance, in service-oriented computing, one typically has 
independently developed end-points that have to be combined to form larger services. 
Hence, deciding if the combined service respects its specification becomes non trivial. 
To illustrate this, we introduce a simple example used throughout the paper. 

Consider a system Sbs = bi[Pi] I si[5i] | b 2 [P2] | s 2 [Sy consisting of two buyers 
(bi and b 2 ) and two servers (si and s 2 ) running in parallel, so that 

Pi = fi!order./?i?price.r?price.(ci!.fi!addr®C2!.«oi!) is the behaviour of bi 
P2 = f2'order./52?price.r!price.(c2?.f2!addr + ci?.«02!) is the behaviour of b 2 
Si = f,-?order./7,-!price.(fi?addr + no,?), ie{l,2} is the behaviour of s± 

with ale (resp. ale) representing the action of sending (resp. receiving) a message of 
type e on a channel a (we omit e when the message is immaterial), representing an 
internal choice, and + a choice made by the environment. 



Intuitively, the overall behaviour of Sbs should be that either bi or b 2 purchase from 
their corresponding sellers. A natural question arises: is Sbs correct? Arguably, it is not 
immediate to decide this by considering the end-point behaviours. 

We propose to construct a global view of distributed end-points like Sbs by a straight- 
forward extension of the multiparty session types introduced in [9]. Such types for- 
malise a global view of the behaviour which, for Sbs, resembles the informal diagram 
below, where the choreography of the overall protocol becomes much clearer. 
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An advantage of our approach is that we can reuse the results of the theory of mul- 
tiparty session types to prove properties of end-points e.g. safety and progress. In fact, 
we show that when the choreography can be constructed, its projections correspond to 
the initial end-points. Therefore, the well-formedness of the synthesised global chore- 
ography guarantees progress and safety properties of end-points. 

The extraction of session types from programs has been studied extensively [6, 8, 9]. 
We assume in this work that such session types are readily available before addressing 
the construction of a global type. 

Contributions. We introduce a theory whereby, under some conditions, it is possible to 
assign a global type to a set of local types. If a global type can be constructed from a 
set of local types, we show that it is unique (Theorem 2) and well-formed (Theorem 3). 
In addition, we show that typability is preserved by reduction (Theorem 4). Our theory 
also guarantees progress and safety properties (Theorems 5 and 6). We also show that 
the projections of a constructed global type are equivalent to the original system (The- 
orem 7). Finally, we show that for every well-formed global types, an equivalent global 
type can be assigned to its projections (Theorem 8). 

Synopsis. In § 2, we give the syntax and semantics of the local types from which it is 
possible to construct a global type. In § 3, we present an extension of the global types 
in [9]. In § 4, we introduce a typing systems for local types, and we give our main 
results. Finally, in § 5 we conclude, and discuss related and future work. 

2 Local Types 

We use CCS-like processes (with guarded external and internal choices) to infer a global 
type from local types that correspond to the participants in the inferred choreography. 
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Hereafter, P is a denumerable set of participant names (ranged over by s, r, n, . . . ) and 
C is a denumerable set of channel names (ranged over by a, b, . . . ). 



Syntax. The syntax of local types below is parametrised wrt basic data types such as 
bool, int, . . . (ranged over by e): 

S,T ::= S\S' \ n[P] | a:p | 

P,Q ■■= Qieiailei-Pi | L € /«i?ei.P« | px.P \ x 

A system S consists of the parallel composition of processes and queues. A process 
il[P] is a behaviour P identified by n € P; we assume that the participant names are all 
different. A behaviour is either a guarded external choice, a guarded internal choice, 
or a recursive process. An internal choice © lG /a;!ei.P, is guarded by output prefixes 
a, !ei representing the sending of a value of sort e, on channel a,. An external choice 
Y,iei a i1 e ±-Pi i s guarded by input prefixes ap.et representing the reception of a value of 
type e, on channel a,. We adopt asynchronous (order-preserving) communications and 
assume that the channels in the guards of choices are pairwise distinct; moreover 

def 

= ®ie0 a i le i- P i = 'Lie0 a P- e i- P i 

Finally, in a recursive behaviour /lix.P, all occurrences of x in P are bound and prefix- 
guarded; also, we consider closed behaviours only that is, behaviours with no free oc- 
currences of recursion variables. We assume that bound variables are pairwise distinct. 

A program is a system with no queues, while a runtime system is a system having 
exactly one queue a : p per channel name a £ C in S. In the following, S,T,... denote 
either a program or runtime system. 

Semantics. The semantics of local types is given by the labelled transition system (LTS) 
whose labels are 

A,::=a | / | a-e \ e-a | n[a] | n:a where a::=a!e | ale 

Label a indicates either sending or reception by a process. Label / indicates termi- 
nation, a ■ e and e • a respectively indicate push and pop operations on queues. Label 
n[a] indicates a communication action done by participant n while n : ale and n : ale 
indicate a synchronisation between n and a queue. 

Assume the usual laws for commutative monoids for | and on systems and /jx.P = 
X 

P\/jx.P/x\. The LTS — > is the smallest relation closed under the following rules: 

[int] ® i£l a i \e i .P i "^l Pj [ext] L G /fli?e i .P 1 - P f jel 

[push] a : p a : p • e [pop] a : e • p a : p [end] 

S n ^ al f s' T T' S n ^ a! f S' T T' P P' 

[IN] [OUT] , [BOX] 

, n:a?e , 



S I T n ^S' | T' S | T^S 1 | T n[P] ^ n[f] 

P = Q Q' = P 1 S=T -S- T' = S' 

[EQ-P] [EQ-S] 7 ; 

pj^pi s-^s' 
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Rules [int] and [ext] are trivial. By [push] (resp. [pop]), a queue receives a (resp. sends the 
first) datum (resp. if any). Processes can synchronise with queues according to rules [in] 
and [out] . The remaining rules are rather standard. Let S — > iff there are S' and X s.t. 

S S' and (resp. =*>) be the reflexive transitive closure of (resp. — >). 

3 Global Types 

A global type Q specifies an ordering of the interactions in a choreography. The syntax 
for global types in [9] is extended with a generalised sequencing in the following syntax: 

Q ::= s^r:a{e).Q \ Q;Q> \ Q + Q> \ Q \ Q> \ p^.Q | % | 

The prefix s — > r : a(e) represents an interaction where s e P sends a value of sort e to 
rgPonaeC (we let I range over interactions s — > r : a (e) and assume that s^r). The 
production Q ; Q' indicates a generalised form of sequencing, where the interactions in 
Q' are enabled only after the ones in Q. The production Q + Q' indicates a (exclusive) 
choice of interactions. Concurrent interactions are written Q \ Q' . A global type Q, 
indicates a recursive type, where % is bound in Q. We assume that global types are 
closed and that recursion is guarded. We often omit trailing occurrences of 0. 

Example 1. The first two interactions between bi and Si in the example of § 1 are 

Qi = b± -> s± : J,'(order).Si -> b± : (price) ie{l,2} (3.1) 

The type Qi says that a participant sends a message of type order to participant Si 
on channel f,, then Si replies with a message of type price on channel o 

The smallest equivalence relation satisfying the laws for commutative monoids for 
| , +, and and the axioms below is the structural congruence for global types: 

g-,o^g o-,g^g {Q\<?)\Q" = Q\{Q'\Q") 

The syntax of global types may specify behaviours that are not implementable. The 
rest of this section borrows from [5] and [9] and adapts the requirements a global type 
must fulfil to ensure that the ordering relation it prescribes is indeed feasible. 

3.1 Channel Usage and Linearity 

It is paramount that no race occurs on the channels of a global type (i.e. a datum sent 
on a channel is received by its intended recipient). As in [9], we require that a global 
type is linear, that is actions on channels shared by different participants are temporally 
ordered. For this, we use generic environments (ranged over by C) which keep track of 
channel usage. Such environments are trees defined as follows: 

c 
C 

root only C is a child of c 



C 




Ci c 2 

C\ and Ci are children of c 
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Each node c has a label c of the form o, s — > r : a, or ^ respectively representing 
the root of choice or concurrent branches, an interaction between s and r on a, and a 
recursive behaviour. We write c <G C if c is a node in C. We use _ as a wild-card when 
some of the components of a label are immaterial, e.g. _ — » _ : a matches any label 
representing an interaction on a. Given a tree C, we write c\ -< C2, if Ci , C2 € C and C2 
is a node in the sub-tree rooted at ci. We adapt the definitions in [9] to our framework. 

Definition 1 (Dependency relations [9]) Fix C, we define the following relations: 

c i c 2 if c \ ~< c 2 and Cj = s± — > r : a, i e {1,2} 

Ci -<io C2 if Ci -< C2 a«<i ci = si — > r : ai ami C2 = r — > s 2 : «2 

Ci -<oo C2 if c\ -< C2 andQ = s -> r ± : a i e {1,2} 

An input dependency /rom ci fo C2 is a chain of the form ci x^, . . . C2 (A: > 0) such 
that (j); e {II, ID} for 1 < i < k— 1 anrf = II. An output dependency from Ci fo C2 is 
a chain C\ . . . -<§ k C2(k>l) such that (j),- e {00, 10}. 

Definition 2 (Linearity [9]) C is linear if and only if whenever ci -< C2 with Ci = _ — > 
_ : a and c 2 = _ — )■ _ : fl f«en f/zere is />of/z ;'n/?Mf one/ output dependencies from C\ to C2. 

We also define a function _★_ to append trees as follows 

c c c c 

I *c' = I »*c = c, /\ *c' = /\ 

Co Cb*C Ci C2 C\-kC' C2*C 

and a partial function to append a tree C' to a tree C while preserving linearity: C< C' = 
C*C if C*C" is linear, otherwise C^C" = _L. Also, let T(£) be the total function (cf. 
Appendix A.l) which returns a tree C corresponding to the use of channels in Q. 



3.2 Well-formed Global Types 

We define the conditions for a global type to be well-formed. We write (resp. 
C{Q)) for the set of participant (resp. channel) names in Q, and fv(^) for the set of 
free variables in Q, similarly for a system S. We give a few accessory functions. Let 

def 



R(g) = {s -)• r : a\ Q = (s -)• r : a{e).Q\ -+ 

def [Fp(^i)UF p (^2), I Q 2 

otherwise 



Qi I £); &} 



s — 



(F ({s,r}U!P,£i), g 

F o (0,£i)UF o (0,£ 2 ), £ 

F (!P,^i), £ 

Fo(!P,^i), g 

Fo(0,&), £ 

_L, otherwise 



r : t 

£2 



= ^1 + ^2 and F (fP,^i) 
■■ or g = % 



F D (fP,&) 
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R(^) is the ready set of Q. F P (^) is the family of sets of its participants running in 
different concurrent branches. That is, N E F P (^) iff all n e are in a same top-level 
thread of Q. F (^,fP) is the family of sets of participants of Q, so that for all N,M € 
F (fP, Q), the participants in N and those in M are in different concurrent branches in 

clef 

the last part of Q\ define F D (^) = F o (0, (7). Note that F (_, _) is a partial function. 

Example 2. Let = bi — > b 2 : c,().(bi — > Si : f,-(addr) | bj — > sj : nOjQ) describe 
each of the branches of the or box in the example of § 1, where i ^ je {1,2}, then 

R(£u) = {bi -^b 2 : ci}, F P (^i )2 ) = {bj.s^ba.Sa}, F (£i )2 ) = {{bi, sj, {b 2 , s 2 }} 

The global type below corresponds to the whole protocol of § 1 

Q = {Q\ I ^2);b 2 ^b! : r(price).(^i,2 + ^2,i) 

hence K(§) = {bi -> Sl : f,} i=1 2 , F P (£) = F P (£i, 2 ), and F (£) = F (£i, 2 ). o 

Well-formedness. The well-formedness of a global type Q depends on how it uses 
channels; a judgement of the form C \-Q states that Q is well-formed according to the 
channel environment C (cf. § 3.1); Q is well-formed if • \-Q can be derived from the 
rules given in Fig. 1. We assume that each premise of the rules in Fig. 1 does not hold if 
any of the functions used are not defined (e.g., in [wf-;], if Fq{§) = -L then C ; Q' is 
not derivable). Hereafter, we assume that a node c is fresh (i.e. c ^ C). The environment 
C permits to tackle one of the main requirements for a global type to be well-formed: 
there should not be any race on channels. In the following, we discuss the rules of Fig. 1, 
which are grouped according to three other requirements: sequentiality, single threaded, 
and knowledge of choice. 

Sequentiality [5]. Rules [wf-.], [wf-;] and [wf-;-0] ensure that sequentiality is preserved. 
In [wf-.], there must be an ordering dependency between a prefix and its continuation so 
that it is possible to implement each participant so that at least one action of the first 
prefix always happens before an action of the second prefix. More concretely, we want 
to avoid global types of the form, e.g. 

Si ri : a{e).S2 -> r 2 : b(e') X 

where, evidently, it is not possible to guarantee that s 2 sends after r x receives on a. 
Since we are working in an asynchronous setting, we do not want to force both send 
and receive actions of the first prefix to happen before both actions of the second one. 
Rule [wf-;] requires the following for generalised sequencing. (;') For each pair of "first" 
participants in Q' , there exist two concurrent branches of Q such that these two partici- 
pants appear in different branches. This is to avoid global types of the form, e.g. 

(si -> i-! : a(e) | s 2 -> r 2 : b(e)) ; Si -> r t : c(e) X 

since there is no possible sequencing between the prefix on b and the one on c. (ii) For 
all top-level concurrent branches in Q, there is a participant in that branch which is also 
in one of the branches of Q 1 . This requirement discards global types of the form, e.g. 

(si -> r! : a(e) | s 2 -> r 2 : b(e) | s 3 -> r 3 : c(e));s 1 -> r 2 : d(e) X 
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[WF-.] 



Vs'^r':.eR(g):{s',r'Jn{s,rJ/0 C<c\~g c = s^r:a 
Chs^r: a(e).g 
Vs^r:_GR(^')-3A'i + N 2 e F Q (£) . s 6 AT, Ar € N 2 

\/n eFp(g) 3n' eF P (g').N on' ^0 c\-g c< ( T(g)\-g' 



[WF-;] 



[WF- I ] 



c\-g-,g' 

<p{g)c\<p{g') = c(g)nc{g') = c\-g cvg' 
c^g I g' 

x<Efv{g)=>#? Q (g) = \ c*chg c = % 



[WF-/JX] 



crn.g 

C<C(%) 



[WF- + ] 



cvg 

[wf-;-0] [wf-v] 

C\-g;0 C\-% [wf-0]CI-0 

Vs^r:fleR(^).Vs'^r':ieR(^').s = s'Aa/f) CVQ CVg' 

chg+g' 



Fig. 1. Rules for Well-formedness 



since it is not possible to enforce an order between s 3 and r 3 and the others. {Hi) Q and 
Q' are also well-formed. Observe that (;') implies that for Q ; Q' to be well-formed, Q is 
of the form Q\ \ Qi, with Q\ ^ and Q 2 ^ 0. Both [wf-.] and [wf-;] are only applicable 
when linearity is preserved. Finally, rule [wf- ; -0] is a special case of Q ; Q 1 . 

Single threaded [9]. A participant should not appear in different concurrent branches 
of a global type, so that each participant is single threaded. This is also reflected in 
the calculus of § 2, where parallel composition is only allowed at the system level. 
Therefore, in [wf- | ], the participant (resp. channel) names in concurrent branches must 
be disjoints. Rule [wf-^x] adds a new node in C to keep track of recursive usage of the 
channels, and requires that Q is single threaded, i.e. concurrent branches cannot appear 
under recursion. If that was the case, a participant would appear in different concurrent 
branches of the unfolding of a recursive global type. Rule [wf-yj unfolds C at % to ensure 
that the one-time unfolding of C preserves linearity (see [9] for details). 

Knowledge of choice [5, 9]. Whenever a global type specifies a choice of two sets of 
interactions, the decision should be made by exactly one participant. For instance, 

s 1 ^r 1 :ai(e).g i + s 2 ->• r 2 : a 2 {e').Qi X 

specifies a choice made by two participants. Indeed, sn is the one making a decision 
in the first branch, while s 2 makes a decision in the second one; this kind of chore- 
ographies cannot be implemented (without using hidden interactions). Also, we want 
to avoid global types where a participant n behaves differently in two choice branches 
without being aware of the choice made by others. For instance, in 

s — > r : a(e).n — > r : c{%).Q\ + s — > r : b(e).n — > r : d(e).§2 X 
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where n ignores the choice of s and behaves differently in each branch. On the other 
hand, we want global types of following form to be accepted. 



s — » r : a(e).n — > s : b(e).s — > n : c(e).n — > r : d(e) 

+ ✓ 
s — > r : a'(e).n -4- s : b(e).s — »■ n : c'(e).n -4- r : rf'(e) 

Indeed, in this case n behaves differently in each branch, but only after "being in- 
formed" by s about the chosen branch. 

Together with the projection map defined below, rule [wf-+] guarantees that "knowl- 
edge of choice" is respected. In particular, the rule requires that the participant who 
makes the decision is the same in every branch of a choice, while the channels guarding 
the choice must be distinct. 

Definition 1 (-[_). The projection of a global type Q wrt. n e fP(^) is defined as 

ale.Q'[ n , if Q = s — > n : a(e).Q' 

ale.g'[ n , if Q = n — > r : a{e).Q' 

(j'ln, if(j = s^r:fl(e}.^' a«ds^n^r 

ftLw&L. ifQ = Q\ + Qi 

g,U, ifQ = Q\ I §2 and n<£P(gj),i^j £{1,2} 

frU&L/O], ifQ = Qx\Q 2 

w.g'in, if g 
g, ifg = %org = o 

_L, otherwise 



gu 



def 



We say that a global type is projectable if g [ n is defined for all n£ fP( 

The projection map is similar to the one given in [9], but for the generalised sequencing 
case and the use of ttl to project choice branches. Observe that if g = g\ ; gi, we 
replace by the projection of g^ in the projection of (71 . Function _l±l _ basically merges 
(if possible) the behaviour of a participant in different choice branches; _l±l _ is defined 
only when the behaviour is the same in all branches, or if it differs after having received 
enough information about the branch which was chosen. The definition of _l±l _ is given 
in Appendix A. 2. A global type may be projected even if is not well-formed, but in that 
case none of the properties given below are guaranteed to hold. 



4 Synthesising Global Types 

We now introduce a typing systems to synthesise a global type g from a system S so that 

5 satisfies safety and progress properties (e.g. no race on channels and no participant 
gets stuck). Also, the set of typable systems corresponds exactly to the set of systems 
obtained by projecting well-formed global types. To synthesise g from a system S, a 
careful analysis of what actions can occur at each possible state of S is necessary. 
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If S = n[P] | S' then 5(n) denotes P (if S ^ n[P] | S' then 5(n) = _L). We define the 
ready set of a system as follows: 



R(S) 



' {a ( |i e /}UR(5') if S = r[E ie/ fl i ?e i .Pi] | 5' 
{S7|i e /}UR(S') if S = sie^flilei-P,] | S> 
{a}UR(5') if 5 = a: e-p | S' 
ifS = 



def 



We overload R(_) on behaviours in the obvious way and define R(S) = {a e C | a e 
R(5)oraeR(5)}and5t-^ 3aeC : a e R(5) A a e R(5); we write 5^ if 5^ does 
not hold. 



4.1 Validation Rules 

A judgement of the form A ; T; C h 5 ► (7 says that the system S forms a choreography 
defined by a global type Q, under the environments A, F, and C. The environment A is a 
superset of the channel names used in S, and corresponds to the channels S is entitled to 
use. The environment F maps participant names and local recursion variables to global 
recursion variables (o is the empty context F). The channel environment C records the 
use of channels. Hereafter, we use • for the disjoint union of environments. 

Programs. A global type Q can be synthesised from the program S if the judgement 

C(S);o;. hS ► Q 

(stating that S is entitled to use all its channels in empty environments) is derivable from 
the rules in Fig. 2 (driven by the ready set of S and the structure of its processes). 

Rule [.] validates prefixes provided that the system is entitled to linearly use the 
channel a, that the continuation is typable, and that no other interactions are possible in 
S. For instance, [.] does not apply to 

Sl [a!e.Pi] I r![fl?e.Qi] | s 2 [b\e.P 2 ] \ r 2 [ble.Q 2 ] X 

because there is no ordering relation between the actions on a and b; in this case either 
[ I ] or [ ;] should be used. 

Rule [ 1 ] validates concurrent branches when they can be validated using a partition A 1 
and A 2 of the channels (recall that <P{S) n fP(S') = 0). 

Rule [;] splits the system into two sequential parts and it relies on the function split(_) 
defined in § 4.2; for now it suffices to notice that linearity is checked for in the second 
part of the split by adding the channel environment corresponding to Q\ to C (recall that 

C is undefined if C*C is not linear). 
Rule [e] introduces the global type choice operator, it requires that both branches are 
typable and that no other interactions are possible in S. 

Rule [+] allows to discharge a branch of an external choice; together with the premises 
of [ I ], rule [+] discards systems such as the one on left below (due to a race on b) but 
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{a}UA-F;C^c h s[P] \ r[Q] | 5 ► Q c = s^r:a Sf 
[I {a}UA;r;Chs[a!e.P] | r[a?e.g] | 5 ► s -> r : a(e).g 
A 1 ;o;C\-S >■ § A 2 ; o ; C h 5' ► A] nA 2 = 

[|] ~ A] UA 2 ; T;C h 5 | 5' ► £ | ^ 

A;o;ChSi^^i split (5) = (5i,5 2 ) A;o;C-(f (^) hS 2 ► 

t,! ~ A;T;C hS ► £i;£ 2 

A;T;C h s[P] | 5 ► £ A ; T; C h s[Q] | 5 ► g' S$ 

m A;T;C \-s[P®Q] \ 5 ► £ + 

R(0)CA A;T;C h r[P] | 5 ► Q 5^ 

1+1 A;T;C hr[/>+0] | 5 ► £ 

31<i,j<fc.(ni[^] | nj [/>,■])$ 
A;r-(ni,xi) :x,---,(n*,x;Q :%;C*/fl hnijfi] | ... | n k [P t ] ► g 

,\:1:C n ; //x;./'; ... rui/x../\ ► i//,*/ 

Vl</<t.r(ni,Xi)=X C<C(m) 



[x] 



A;T;C hm[ Xl ] | ... | n k [x*] ►x 



5 = 5' A;r;CI-5'^^ Vn e 2>(S) . 5(n) = C(S) = 

[eq] [0] 

A;r;CI-5*-£ A;T;C r-S^-O 



Fig. 2. Validation Rules for Programs 



permits those like the one on the right (as only the channels guarding the choice must 
be in A). 

r 1 [a?e + /7?e] | s 2 [b\e] \ r 2 [fc?e] X Sl [a!e] | r 1 [a?e + c?ei??e] | s 2 [ble] | r 2 [fe?e] ✓ 

Rules [ju] and [x] handle recursive systems. The former rule "guesses" the participants 
involved in a recursive behaviour. If two of them interact, m validates the recursion 
provided that the system can be typed when such participants are associated to the 
global recursion variable % (assuming that % is not in F). Rule [x] checks that all the 
participants in the recursion have reached a local recursion variable corresponding to 
the global recursion, and that the unfolding of C on [i% preserves linearity; for this we 
define C(/j%) to be the subtree of C rooted at the deepest node of C labelled by (note 
that this node is unique since bound variables are distinct). 

Rule [0] only applies when all the participants in S end while [eq] validates a system up 
to structural congruence. 

Theorem 1 (Decidability). Typability is decidable. 

The proofs follows from the fact that the typing is done wrt to the (finite) partitions of 
channels in a system, and that the number of required behaviour unfoldings is finite. 

Theorem 2 (Unique typing). If A ; T; C h S ► Q and A ; T; C h S ► Q' then Q = Q' . 
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Theorem 3 (Well-formedness). If A ; T; C h 5 ► Q then m\-Q and Q is projectable. 
The proofs for these two theorems are by induction on the structure of the derivation. 

Runtime system. In order to have subject reduction for our typing systems, queues 
have to be handled effectively; we use a distinguished participant name * to denote an 
anonymous participant. Assume * ^ P and write * — »■ r : a{e).Q to specify that there is 
a message of sort e on channel a for participant r. 

Example 3. LetS = n[a!e] | s[b\e.ale] \ r[ble] \ a : [] | b: []. Consider the judgement 

A;T;C \- S ► s ->• r : b(e).n -> s : a(e) 

If S evolves to S' = n[0] | s[fo!e.a?e] | r[fe?e] | a : e | b : [], the identity of the sender n 
is lost. However, the judgement 

A;T;C\-S' ► s -> r : fe(e).* -)• s : a(e) 

types 5' using *. o 
Runtime systems can be handled by slightly extending Def. 1 so that we have 1 

c i -<oq c 2 if c i ~< c 2 an d c i = * — > r : fl an d c 2 = s — > r : a 
and by adding two rules to the validation rules for handling queues: 

{a}UA;o;C<c ha:p \ r[P] \ S ► Q c = *^r:a St A;T;C^S*-g 
P {a}UA;r;CHa:e-p | r[a?e.P] | 5 ► *^r:o(e).g " A;r;CHa:[]|S^^ 

Rule [p] is similar to rule [.], except that a non-empty queue replaces the sender, and F 
is emptied. Rule [Q] simply allows to remove empty queues from the system. 

Theorem 4. If A ; o ; C h S ► Q, S -\ S', and C(k) C then A ; o ; C h S' ► ^' 

The proof is by case analysis on the different types of transitions a system can make. The 
recursive case follows from the fact that reduction preserves closeness of behaviours. 

4.2 Splitting Systems 

The purpose of systems' splitting is to group participants according to their interactions. 
For this we use judgements of the form 

f;0h5oQ (4.1) 

which reads as "5 splits as D. under *P and ©". The environment *P is a set of (pairwise 
disjoint) ensembles that is disjoint sets C fP(5) containing participants that interact 
with each other for a while; and then some of them may interact with participants in 
other ensembles in VP. The environment © is a set of (pairwise disjoint) duos, that is 

1 This extension makes sense since the order of messages is preserved in the calculus. 
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two-element sets of participants {s, r e &(S) : r^s} representing the first participants 
able to interact once the first part of the split is finished. Under suitable conditions, 
one could identify when n E N has to interact with a participant of another ensemble. 
In other words, one can divide 5(n) as n[Pi • e • P2]: the interactions in Pi happen with 
participants in the ensemble of n, while P2 starts interacting with a participant in another 
ensemble. Finally, the environment £2 assigns behaviours augmented with a separator e 
to participant names, and lists of sorts to queues a. 

Given a judgement as (4.1), we say that N,M e ^ are ©-linked (N ^ M in symbols) 
iff 3D e © : NDDOM 7^ 0; also, we say that n,m e fP(5) are Q.-linked (n ^ m in sym- 
bols) iff C(Q(n)) n C(£l(m)) ^ 0. We define S[iV] = FLeW^n)] | FLecM a ■ %)■ 

Definition 2. The judgement *P; © h 5 £2 is coherent if it can be derived from the 
rules in Fig. 3, 7^ 0, anc/ /or aii iV € VP, 5[iV] £ and the following conditions hold 

3!n€JV: ((3!mG^V\{n} : S[N\ {n}] $ A 5[iV\ {m}] $) or (S[N\ {n}] $)) (4.2) 

© is total on N and <H>© is total on *P (4.3) 

where ^9=-^ is the reflexive and transitive closure of ^ and © d M^. is the transi- 
tive closure of 

Essentially, Def. 2 ensures that rule [;] is the only rule of Fig. 2 applicable when the 
system can be split. Condition (4.2) ensures that, in each ensemble N, there is a unique 
pair of synchronising participants or there is a unique participant that can synchronise 
with a queue a. Condition (4.3) is the local counterpart of the well-formedness rule for 
global types of the form Q ; Q' . The totality of © on guarantees that the participants 
in an ensemble share channels. The totality of on *P guarantees that each ensemble 
in *P has one "representative" which is one of the first participants to interact in the 
second part of the split. Together with condition © 7^ 0, the condition on ensures 
that there are (at least) two ensembles of participants in X P. Note that (4.3) also ensures 
that all the set of participants in *P are interdependent (i.e. one cannot divide them into 
independent systems, in which case rule [ | ] should be used). 

A judgement (4.1) is to be derived with the rules of Fig. 3 (we omit rules for com- 
mutativity and associativity of systems). The derivation is driven by the structure of up 
to two processes in S, and whether they are in the same ensemble and/or form a duo. 

Rule [e] marks two processes m and n as "to be split" when m and n form a duo in 
and are in different ensembles of X P. The continuation of the system is to be split as 
well, with m and n removed from the system and from the environments. 
Rule [sync] records in Q. the interactions of participants in a same ensemble of X P. 
Rule [+] discharges the branch of an external choice for participants in a same ensemble 
while [e] deals with internal choice. The premise Q. x £2' holds only when £2 and Q! 
have the same domain and differ only up to external choice, i.e. for each n either its 
split is the same in both branches, or its split is an external choice (guarded by different 
channels); £2 U Q! merges £2 and £2' accordingly (cf. Appendix A. 3). The additional 
premise s[P(BP'] | r[Q] £ is required so that the split is done before a branching if a 
participant cannot interact with one of its peer in N after the branching. 
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neN,meM (n[P]\m[Q])X ¥ • N\ {n} • M\ {m} ; h S o £2 

[e] 

V-JV-M;0-{n,m} h n[P] | m[g] | 5* £2n:em:E 

s,reN V N;® h s[P] | r[Q] |S~£2-s:7t-r:(p 

¥iV;@ h s[a!e.P] | r[a?e.g] | So £2- s : a!e.JI-r : a?e.(p 

m,neiV (m[P] | n[g])t * • AT; O h m[P] | n[Q] \ S o £2 • m : ji 

[+1 ¥-iV;0 h m[P + P'] | n[Q] | 5 Z £2-m:7t 

n,meiV (n[P0P'] | m[g])$ £2 x £2' 
¥•#;© h n[P] | m[j2] | 5 o £2-n:7t ¥•#;© h n[P'] | m[g] | S * £2'n:<p 
h n[P©P'] | m[Q] \ S Z QUO' -n : 3l0(p 
*\n;0 h 5 o £2 

[ax] [0] 

{0};0hO*0 >;6h n[0] | 5 o £2n:0 

(n[P] | S)# P^O "P\n;0l-SoQ 

[rem] r - , 

<P;0 h n[P] | So £2n:e 
reiV ¥-iV;0 h r[P] | So £2-r:jr-a:p 
[<?1 f-W;0 h r[a?e.P] | a:e-p | 5 o £2 • r : ale.TZ ■ a : e • p 



Fig. 3. Splitting Systems. 



Rule [ax] terminates a derivation (all environments emptied) while [0] completes the split 
of a process (abusing notation, *P \ n denotes the removal of n from any N G *¥). 
Rule [rem] marks a process to be split when it cannot interact with anyone in S. The 
premise P ^ allows to differentiates a process which terminates after the split, from 
others which terminate before. In the latter case, rule [0] is to be used. 
Rule [q] records in £2 interactions with non-empty queues. 

We now define a (partial) function split which splits a system into two parts. 

Definition 3 (split (_)).Lef v F; © h S o £2 be a coherent judgement. Define split (S) = 
(Si,S 2 ) where 

- Vne!P(5).5i(n) =5(n)-Q(n) and 5 2 (n) = 5(n) %£2(n) 

- Va e C(S) . 5i (a) = Q(a) one/ S 2 (a) = S(a) \ £2 (a) 

i/5(n) %£2(n) 7^ _L/or a// n G 2>(S), anc/ split (5) = _L otherwise. 

The auxiliay funtions _ and _% _ used in Def. 3 are defined in Appendix A. 3; we 
give here their intuitive description. Let n G fP(5), and *P; © h 5 =c= £2 be a coherent 
judgement. Function 5(n) — £2(n) returns the "first part" of the split of n, that is the 
longest common prefix of 5(n) and £2(n), while 5(n) %£2(n) is partial and returns the 
the remaining part of the behaviour of 5(n) after £2(n). 

Example 4. Taking Sbs as m § 1> we have split (5bs) = (Si ,S 2 ) such that 

■Sl(bi) = ti !order./?i?price ^(bi) = r?price.(ci \.t\ !addr ffic 2 !.noi !) 
Si(si) = /,?order./?i!price S 2 (si) = f,?addr+ nop. 

Note that {{b 1 ,s 1 },{b 2 ,s 2 }}; {{b!,b 2 }} h 5bs ^ ^ is coherent. o 
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4.3 Properties of Synthesised Global Type 

Progress and safety. If a system is typable, then it will either terminate or be able to 
make further transitions (e.g. if there are recursive processes). 

Theorem 5. If A ; o ; C h S ► Q then S — > S', or Vn e ${S) . 5(n) = 0, or S -A. 
Let us add the rule [error] below to the semantics given in § 2. 

[error] j e f= e 

S | T — > error 

Theorem 6. If A ; o ; C h S ► Q, then S is race free and S — 5- error is not possible. 
The proofs of Theorems 5 and 6 are by contradiction, using Theorem 4. 

Behavioural equivalences. We show that there is a correspondence between the original 
system and the projections of its global type. First, let us introduce two relations. 

Definition 3 ( < and w) P < Q if and only if Q Q' then there is P' such that P 
P '. Also, S~T iff whenever S S' then T T' and S' ~ T' ; and whenever T T' 
then S S' and S' w T' where a £ {n : a!e,n : a?e, /}. 

The behaviour of a participant in S is a simulation of the projection of a synthesised 
global type from S onto this participant. Intuitively, the other direction is lost due to 
rule [+], indeed external choice branches which are never chosen are not "recorded" in 
the synthesised global type. 

Lemma 1. If A; o; C h S ► Q then Vn e S. QU< 5(n). 

The proof is by case analysis on the transitions of S, using Theorem 4. 

Since the branches that are not recorded in a synthesised global type are only those 
which are never chosen, we have the following result. 

Theorem 7. If A ; o ; C h S ► Q then X\ ueT{S) n[Q U] ~ S. 

The proof is by case analysis on the transitions of S, using Theorem 4 and Lemma 1 . 

Our completeness result shows that every well-formed and projectable global type 
is inhabited by the system consisting of the parallel composition of all its projections. 

Theorem 8. If and Q is projectable, then there is Q' = Q such that A;T;C h 
The proof is by induction on the structure of (well-formed) Q. 



5 Concluding Remarks and Related Work 

We presented a typing system that, under some conditions, permits to synthesise a 
choreography (represented as global type) from a set of end-point types (represented 
as local types). The synthesised global type is unique and well-formed; moreover, its 
projections are equivalent to the original local session types. We have shown safety and 
progress properties for the local session types. Finally, the derivatives of local types 
which form a choreography can also be assigned a global type (subject reduction). 
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Related work. A bottom-up approach to build choreographies is studied in [11]; this 
work relies on global and local types, but uses local and global graphs. A local graph 
is similar to a local type while a global graph is a disjoint union of family of local 
graphs. We contend that global types are more suitable than global graphs to represent 
choregraphies; in fact, differently from the approach in [11], our work allows us to reuse 
most of the theories and techniques based on multiparty global types. 

Our work lies on the boundary between theories based on global types (e.g. [1, 5, 7, 
9]) and the ones based on the conversation types [3]. Our work relies on the formalism 
of global types, but uses it the other way around. We start from local types and construct 
a global type. We have discussed the key elements of the global types in § 3. 

Conversation types [3] abandon global views of distributed interactions in favour of 
a more flexible type structure allowing participants to dynamically join and leave ses- 
sions. The approach in [6] fills the gap between the theories based on session types and 
those based on behavioural contracts [4] (where the behaviour of a program is approxi- 
mated by some term in a process algebra). We are also inspired from [12], where session 
types are viewed as CCS-like "projections" of process behaviours. The approach of con- 
sidering local types as processes is similar to ours. However, the theory of [12] is based 
on a testing approach. The connectedness conditions for a choreography given in [2] is 
similar to our notion of well-formed global type. 

Future work. We aim to extend the framework so that global types can be constructed 
from session types which features name passing and restriction. We also plan to refine 
the theory and use it in a methodology so that if a choreography cannot be synthesised, 
the designers are given indications on why this has failed. Finally, we are considering 
implementing an algorithm from the rules of Fig. 2 and Fig. 3, and integrate it in an 
existing tool [10] implementing the framework from [1]. 

References 

1. L. Bocchi, K. Honda, E. Tuosto, and N. Yoshida. A theory of design-by-contract for dis- 
tributed multiparty interactions. In CONCUR, 2010. 

2. M. Bravetti, I. Lanese, and G. Zavattaro. Contract-driven implementation of choreographies. 
In TGC, 2008. 

3. L. Caires and H. T. Vieira. Conversation types. In ESOP, 2009. 

4. S. Carpineti, G. Castagna, C. Laneve, and L. Padovani. A formal account of contracts for 
web services. In WS-FM, 2006. 

5. G. Castagna, M. Dezani-Ciancaglini, and L. Padovani. On global types and multi-party 
sessions. In FMOODS/FORTE, 2011. 

6. G. Castagna and L. Padovani. Contracts for mobile processes. In CONCUR, 2009. 

7. P.-M. Denielou and N. Yoshida. Dynamic multirole session types. In POPL, 2011. 

8. K. Honda, V. T. Vasconcelos, and M. Kubo. Language primitives and type discipline for 
structured communication-based programming. In ESOP, 1998. 

9. K. Honda, N. Yoshida, and M. Carbone. Multiparty asynchronous session types. In POPL, 
2008. 

10. J. Lange and E. Tuosto. A modular toolkit for distributed interactions. In PLACES, 2010. 

11. D. Mostrous, N. Yoshida, and K. Honda. Global principal typing in partially commutative 
asynchronous sessions. In ESOP, 2009. 

12. L. Padovani. On projecting processes into session types. MSCS, 22:237-289, 2012. 



15 



A Additional Definitions 



In this section, we give the definitions of the accessory functions used in the main 
sections of the paper. 



A.l Linearity 
Definition 4 (T(_)). 



s -> r : a /j% 

?{g) i{g) 



T(g+g r ) = 



T(g) T(g>) 



T(g | g>) = 



T(g) T(g>) 



<T(g;g>) = <i(g)*<i(g') r(0) = <r(%) = . 

The function T(_) returns a channel environment corresponding to a global type. 



A.2 Projections 



Definition 5 ( J+l ). 



(P+Q, 
p®Q, 

a?(e).(P'UQ') 
P, 

-L, 



z/P = Lmai^i-P'i and Q - Z jeJ a j 7e i .Q'j 

and V/ G /. Vy G 7. a, ay ant/ 7,7^0 

z/P = © (e /a ( ! ei .^ and Q = © ; j«j\e,.Q) 

and V; G I. V/ G /. a, ■ ^ aj and I, J ^ 

ifP = a?(e).P'andQ = a?(e).Q' ?e{!,?} 

ifP=Q 

otherwise 



The function merges the behaviour of a participant in different choice branches. In the 
first two cases, it merges two guarded internal (resp. external) choices, if their sets of 
guard channels are disjoint. In the third case, the function merges the continuation of 
both processes, if both are guarded by the same prefix. Note that it is a partial function, 
e.g. it might be the case that a participant behaves differently in two branches without 
being aware of which branch was chosen, in which case the projection of that participant 
is undefined. 
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Definition 6 (Substitution). The substitution P[Q/R], where R is 0. 



' a\e.(P'[Q/R}) ifP = a\e.P' 

ale.{P'[Q/R\) ifP = a?e.P' 

Py[Q/R]®Pi[Q/R] ifP = Py®P 2 

P[Q/R] = { Py [Q/R] +P 2 [Q/R] ifP = Pi+P 2 

/jx.(P'[Q/R}) ifP = /jx.P' 

Q ifP = R = 

K P otherwise 

Substitution is used in the projection map. 

A.3 Splitting Systems 

Omitted rules in Fig. 3: 

V; © h S' | S o £2 *P; h (S \ T) \ T 1 o £2 

, } [com] — ; 7- 

*P; © h S | S' o £2 »P; h- S | (r | T') = £2 

Definition 7 (_ x _). £2 x £2' /zoWs j/anJ onfy j/Vn e !P(£2) U fP(Q') ei'f/ier 

£2(n) = £2'(n) or (£2(n) = ^a^ei.P, and £2'(n) = ^ a ; ?e j- P y) 

ie/ ye; 

vv/zere V; € /. V/ € /.a, 7^ a/. 

The boolean function _ x _ holds only if two maps £2 differ wrt external choice. 

Definition8 ( U ). 

£2 = £2q U £2] is defined only if £2o x £2i holds, in which case 



[com] 



Vne fP(£2 )UfP(£2i) . £2(n) =merge(£2 (n),£2 1 (n)) 



where 



merge (P,Q) ■ 



ifP = Q 



K P + Q ifP = L € /«i?ei.P,- and g = I /G/ fl / ?e j .P / 
The function _U _ merges two £2 maps, if _ x _ holds. 
Definition 9 (_ — _). 

© (k,k!)eK a k ] -e*-{Pk-Qk') ifP= ©/ e / «i ! e± .P ( one/ g = © jG/ a ; - ! e j . g, 

P~Q = < L(W')e^ fl * ?ek -( P * _ 2*')+L I GiVfln ?e n-Pn = ZieI a P e i- P i and Q = a ./ ?e j 2/ 

0, j/P ee an<i g ee 0, or Q = e, 

wftere = € / xJ | a,- = a,} ami N = {n £ I \Vj £ J.a n ^ aj}. 
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The function _ — _ computes the first part of a split behaviour, given the original 
behaviour, e.g. 5(n) and its prefix in £2(n). The case for external choices keeps the 
branches from the original behaviour which do not appear in Cl(n). The rationale is that 
even if some branches are never "chosen" in the system, they might still induce e.g. 
races and therefore they need to be taken into account in the main system. 

Definition 10 (_%_). 



P%Q 



>o 


ifP = ®iei a i ] - e i- p i and Q = 




Po 


ifP = Zieiai?ei-PiandQ = 




« o, 


ifP = 0andQ = 0, 




P, 


(ffi = e, 






otherwise 





with Pq defined as follows 



Po 



Pi % Qj with (i, j) G K ifV(i, j) (k,l)eK. Pi % Qj = P k % Q t 
_L otherwise 



where K = G / x J \ a; = a/} 

The function _% _ computes the second part of a split behaviour. Essentially, it re- 
turns the "rest" of a behaviour after i2(n). Note that if £2(n) is a branching behaviour, 
then the rest must be the same in all branches (since only one behaviour can be re- 
turned), e.g. 5(n) %Q(n) = _L, if 



5(n) =a\e.b\e®c\e.d\e and Q(n) = a!e.e® c!e.e 



A.4 Results 

Definition 11. There is a race in S if and only if there is S S' such that 3 a G R(S') 
such that 

3 {n,m} G ^P(S) : a G R(5(n)) and a G R(5(m)) or a G R(5(n)) and a G R(5(m)) 
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B Definitions Used in the Proofs 

Definition 12 (Connected - R). 

- Two participants are connected in a system S if (n,m) G R$ 

(n,m) eR s C(S(n))nC(S(m))^0 or3n. (n,n) E R s A (n',m) e fl s 

- Two participants are connected in a global type Q i/(n,m) € 

(n,m)e/?g C(^ln)nC(^U)^0of3n'.(n,n')e/?^A(ii',m)e% 
Definition 13 (Projections with queues). 



C Proofs for Theorem 1 (Decidability) 

Typability is decidable. 

Proof. The typing systems is decidable from the fact that the ready set of a system, the 
number of participants, and their behaviours are finite. Here, we show that the number 
of behaviour unfoldings needed to type a system is also finite. 
Let (non-recursive) behaviour context C [_] defined as follows 



Q\a={ 




ifg = *^a:r(e).g> 
if Q = s — > r : a(e).§' 

ifg = g 1 + g 2 

ifQ=Qx | Qi anda<£C(Qi),i£je {1,2} 

ifQ=Q\\Q2 

if*^r:a{e) <£ Q 

otherwise 



Definition 14 (_«_). 




Ctt-.^Qa.lei.Ql} | 2>? ei .Q[_] | [_] | px.P \ x 




x 
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The need for unfolding occurs whenever a recursive participants interact with an- 
other participant, while not all the participants feature directly a recursive behaviour. 
In this case, we need to unfold some participants (rule [eq]), then use rules [e], [+], [.], 
and/or [Oj until rule [p] is applicable. Note that rules [;], [ | ] and [p] cannot be used under 
recursion. 

Consider the following system 

S = Sq I Si 

where 

50 = n! [Ci [/iX.C; [x]]] | ... | nj [Cj [fix.Cfj [x]]] (C.l) 

51 = }n j+1 \ M x.C' j+l [x]] | ... | n k ^x.C; + * [x]] (C.2) 
S£, $0% and there is exactly one n e !P(S) such that 

S = n[S(n)] | T and T$ 
Let Ci for j<i<j + kbe the empty context, we can rewrite S such that 

S = [Q [a/x.C,' [x]] ] I = {i\l<i<j + k} 

iei 

Given S as above, we define \i\ x to be the smallest k such that C, [x] is a sub-tree 
of unf old< r (C- [x]), |/| x = _L if there is no such k. Note that |/| x must be smaller than 
the length of C, [0] (since recursion is guarded). If one |/| x is not defined, then S is not 
typable. 

We also defined M = max{|;'| x | ;' e /}, and K{i) = M — |/| x . We can unfold each 
behaviour so that all of them are unfolded to the same extent, let 

S* = [unf old* (0 (C, [a/x.C,' [x]] )] 
iei 

We show that 

A;T;C ^ S* > Q ^ A;T;C ^ S > Q 

By definition of unf old(_), and since C [_] does not contain recursive definition, we 
have 

S* = Yin, [Q [unf old^ (;) (/iX.C; [x])]] (C.3) 
iei 

= Yln i [Ci[C>i[C>[...C>[^C'M]]---]]] (C4) 

iei 

Where in (C.4), C\ [_] has been unfolded K(i) times. It is easy to see that S* is typable 

if 

l\n i [C i [C' i [C' i [...C' i [0}}-}}} and Yl^&lO}] 

iei iei 

are typable themselves, note that rule [eq] does not need to be used to unfold the left- 
hand side system, since it is recursion free; and there is exactly one recursion less in the 
right hand side. 

In fact, if we would unfold (C.3) once more, we would not get more chances to type 
S* since it would amount to add the sub-derivation of the right-hand side to one of the 
left-hand side. 
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D Proofs for Lemma 2 (Uniqueness) 



UA-T-C hS ► g and A;F;C hS ► Q' then £ = Q' . 

Proof. The proof is by case analysis. We show that every time one rule from Fig.2 is 
applicable, either no other rule is applicable, or the derivation produces an equivalent 
global type. 

Due to their syntactic restriction and the condition S% the cases for rules [.], [e], and 
[fj] are straightforward. In addition, the cases for rule [+] is easy since it does not affect 
Q. The cases for rules [x] and [0] are trivial. 

The case for rule \eq\ follows from the fact that associativity and commutativity in 
S do not affect Q. In addition, if one unfold behaviour once more, we have the result 

since /jx.g = g\^x.g/x\. 

The interesting part of the proof is to show that [ | ] and [;] are mutually exclusive. 
In fact, if [|] is applicable, [;] cannot be used because © and o@ must be total on 
^ and © 7^ 0. If a system S could be separated in two sub-system by [ | ], these two 
conditions could not hold. If [ ;] is applicable, it means that it is not possible to split the 
participant in two totally independent sub-systems, and therefore [ | ] is not applicable. 
Finally, observe that by Lemma 16 the split is unique. 

E Proofs for Theorem 3 (Well-formedness) 

If A;F;C h S ► Q then • \-Q and Q is projectable. 

Proof. The proof is by induction on the derivation A;F;C h S ► Q. We make a case 
analysis on the last rule used. 
Case [.]. We have 

Q = s^T-.a(e).g' and 5 = s[a\e.P] | r[a?e.Q] | S' 

- WF. We show that we have 

Vnj ^n 2 : _GR(^')-{s,r}n{n 1 ,n 2 }^0 

by contradiction. By IH, we know that 

{a}UA;T;C<s^r:a hs[P] | r[Q] | S' ► §' 

If we had Q' = ni — >• n 2 : b{e').Qo + Q\, with rii ^ s and Hi with ;' e {1,2}, 
then we would have 

S' = n 1 [ble'.P^P[]n 2 [ble'.Q' + Q' l } \ S" 
which is in contradiction with the premise S' % 

By Lemma 25, the result above and since C< s — > r : a is defined, we have • \-Q. 

- Projection. By Def. 1, we have that Q [ s — a\e.Q' [ s , Q [ z = ale.Cj 1 [ z , and Q [ n = 
^'Ufors^n^r. 
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Case [e]. We have 

£=£o+£i and S=s[PQ)Q}\S' 

- WF. Observe that we have that all the guard channels are disjoint by definition of 
processes. We have to show that 

V(ni , n 2 ) G R( Qo) .V(ni , n£) € R(£i ) . ni = n\ 

i.e. that for all prefixes in Qo and Q\ , s is the sender. In other words, the participant 
who makes the internal choice must be the same in all the branches. If that was not 
the case, we would have 

S , = n 1 [ft!e.Q eei] | H^-Qi + Qi] | S" 
which is in contradiction with the premise S' 

By Lemma 25, the result above and Ch(jo and C \-Q\ by IH, we have • \-Q. 

- Projection. We have to prove that 

Vn€!P(£o + £l)-£oLW£l L^-L 

By IH, we have that both Qq [ n and Q\ |_ n exist. There are two cases where the 
projection does not exist (;' ^ j G {0, 1} in the following): 

• QAn— ale.P and Qj[ n — ble 1 .Q. This cannot happen by definition of behaviours, 

i.e. such projections could only come from behaviours of the form (ale.P) (B(ble'.Q), 
which is not syntactically correct. 

• Qi U= LkeK^^.Pk and Qj L n = Y,k'eK' a k ile^ -P k >, with a k = a k < for some k 
and k' . This cannot happen by definition of behaviours, i.e. such projections 
could only come from behaviours of the form ale.Po + ale.P\ which is not a 
syntactically correct behaviour. The same reasoning applies for internal choice. 

Note that we have Q[ s = Qois® Q\ Is- 

Case [+] 

- WF. By induction hypothesis, we have C h Q and by Lemma 25, we have • h Q. 

- Projection. By induction hypothesis. 

Case [ | ] We have 

Q = (jo I Qi and S = S Q \ Si 

- WF. We have to show that 

fP(£b)nfP(£i) =0 and C(go)nC{gi) = 

By definition of systems, we know that there cannot be two participants of the same 
name in a same system, since S | S' is a system we have that 

<P(Sq)C\<P{S x ) = 

and by Lemma 27, we have fP( Qq) n fP( (71 ) = 0. By Lemma 29, the premise Aq n 
Ai, we have (7(^o) H C(Qi) = 0. We have Chj^o and Ch^i by assumption, with 
the result above and Lemma 25, we have • h Q. 
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- Projection. For all n e Q U is defined by IH and since !P(£ ) n 2{Qi) = 0. 
Case [;]. We have 

£=£o;£i and C<T(g Q ) and split(S) = (S ,Si) 

- We have to show that 

Vn! -m 2 : _eR(£i).3AT] ^JV 2 e F (£ ) -ni eiViAE 2 eJV 2 (E.l) 

and 

VJV e Fp(^o) e Fp(^i) .NHN' ^ (E.2) 

We know that split (5) = (So, Si) therefore there is © h 5 o i2 coherent. We 
show (E.l) first. We first show that 

s4r:aeE((Ji) <*=>• {s,r}e© 

We start with 

ni-J-nj :_SR(^i) <^> Si (14) | Si(nj)$ 

(=>) If rii — > rij : _G R(Cn) then we musthave Q\ = ((tlx — > rij : a{e).(j2 + §3) \ Q^)\Qs 
(by definition of R). And by Lemma 26, this implies that Si(n ± ) = ale. P (BP' and 
Si(v. i )=ale.Q + Q'. Thus we have Si(n ± ) | Si (14)$. 

(<;=) if Si (iii ) I 5i (nj ) $, we must have S x (n ± ) = a! e.P 8 P' and S x (rij ) = ale.Q + Q' 
and since Q\ is well-formed by IH, we have the required result by Lemma 26 and 
the definition of R. 
Now, let us show that 

Si(ni) I Si(nj)$-<=> {n i ,n j }e© (E.3) 

(=>) Since the processes interact, we know that they are 7^ 0. Moreover, since they 
appear in the second part of the split, the following rule must be applied so that 
Si(n ± ) = S(ni)%Q(ni) and Si(nj) = S(n j )%Q(n j ) ( 7^ _L by assumption) with 
il(ni) and i2(nj) ending with e. 

rii e N,nj EM 

njS^ni)] I nj [Si (nj )]^ V-N\{n} •M\{m}; © h S o CI 
-N-M; ©-{nijiij} h Hi[Si(ni)] | nj [Si (nj )] | S o i2- ni :e-nj :e 

which gives us the expected result. Note that the rule [rem] cannot be applied because 

the processes interact with each other we do not have n[P] | S% 

(<=) If {ni , nj } <G © then, the rule [e] must also be applied (the axiom cannot be 

reach with 7^ 0), since the rule requires that ni [Si (n^)] | nj [Si (nj )] |, we have 

the expected result. 

Let us now show that 

V{n { , n; } G © • 3N, ^ Nj e F ( £>) . n ( - e Nj A n, e (E.4) 
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First we show that 

N£F (g )^>3\N' £*¥ : NHN' j=0 (E.5) 

By Lemma 20, we have that V7V E F (^o) -Rg Q * s tota ^ on By Lemma 21, we 
have that (n,m) E Rg => (n,m) e ©. By Lemma 12, we have that (n,m) E © =>■ 
{n,m} e TV e *F. Therefore we have 

NEF (g )^3N' eW : 

and N' is unique since ^ is a set of pairwise disjoint sets. 

We finalise the proof of (E.l), by showing (E.4) by contradiction. If we had 

3{n 1 ,n 2 }e0.3JVeF o (§b).{n 1 ,n 2 }eiV 

by Lemma 1 1, we have that 37Vi ^^e* : ni E N\ E ¥ and n 2 E 7V 2 E ¥ which 
is contradiction with (E.5). 

Let us now show (E.2), i.e. 

V7V eF P (£o)-3jV' eF P (£i) : 

We first show that 

F P (£)=^ 

By definition of F P , we have that 

£= n ^ with^#^ 1 c 

Therefore, by Lemma 20, 7?^ is total on ^P{Qn) for each N. By Lemma 21, we 
have that © is total on each &{Qn) as well, and by Lemma 12, we have 

N E^ = 7V 

Now, we show that 

V/v e *F.37V' e F P (^i).ATny ^ 

by contradiction, if we had 

e^JVn^i) = 

by Lemma 1 1 , we must have N E^¥ such that {n, m} E © and n€JV and m E M. 
Since n E N is also in ©, we must have Si (n) | Si (m) ^ which implies that Si (n) = 
and therefore n E fP( £1 ), by Lemma 27. Thus Nr\ r P{Qi)^0 
From (E.l), (E.2), the fact that by assumption C< T(§o) is defined, and Lemma 25 
we have • \-Q. 

- Projection. By IH, we have that for all n Q§ |_„ and <^i [ n exist, thus we have that 
Go U [£1 U/0] is defined for all n. Note that since • h^ , we have #(F (£b)) > 1 
(cf. E.l). Therefore, by Lemma 23, fv(Cn) = 0. In addition, by Lemma 22, we 
have bv(S) = (since the split(S) by assumption), and by Lemma 24, bv(^o) = 
0. Thus, every branch in Qq ends with 0, and all the projections of Qq end with 0. 
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Case [p] We have 

Q=n-Qo and S = n 1 ]/ix 1 J> 1 ] | ... | n k \ptx k .P k ] and 

- WF. We have to show that 

xefv(s') = 1 

we can apply Lemma 23 and we have the result directly. Observe that the recursion 
is prefix guarded since 3i, j : n±[Pj] | mj [Pj] $ holds. 

- Projection. By induction hypothesis. 

Case [x] We have 

Q = % and Vn € fP(S) .S(n) = x n 

We have to show that C< C(%), which follows directly from the premises of rule [x]. 
Case [0] Trivial. 
Case [p] We have 

g = *^r:a(e).g' and S = r[a?e.g] | a : e • p | S' 

- WF. We show that we have 

Vni^E 2 :_eR(^').ii i =r with ie {1,2} 

by contradiction. By IH, we know that 

{a}UA;r;C^s^r:a h r[Q] \ a : p | S' ► g' 

If we had g' = ni — > n 2 : b(e').go + Q\, withiii ^ r with i £ {1,2}, then we would 
have 

S , = n 1 [We'.^ei y i]n 2 [i?e , .e'o + e' 1 ] | S" 
which is in contradiction with the premise S' % 

By Lemma 25, the result above, and since C< * — > r : a is defined, we have • \-g. 

- Projection. By Def. 1, we have that g [ r = ale.g' [ x , and g [ n = g' |_ n , for n^r. 

F Proofs for Theorem 4 (Subject Reduction) 

If A;o;C hS ► S-^-S', and C(A.) C then A ; o ; C h 5' ► £' 

Proof. There are three cases to consider. 

Case 1. S = Si | S 2 with Si ^ S'j and S 2 S 2 
In this case, S must have the following form 

S = n[a\e.P®P'] | a : p \ T and S' = n[P] | a : p • e | T 

and by Lemma 2 we have that A ; o ; C h S' ► 
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Case 2.S = Si | S 2 with Si ^ S[ and S 2 S' 2 
In this case, S must have the following form 

S = n[a?e.P + P'] | a: ep | T and S' = n[P] | a : p | T 

and by Lemma 2 we have that A;o;C hS' ► (j' 

Case 3. S S in this case, we have A ; o ; C h S' ► ^' trivially since S' = S. 

Case 4 (unfolding). If S = n^x.P] | S and S' = n[P\jnx.P /x]\ | S then Q = n%-<jo, 
and Vm e fP(So) .So(m) = /jx.Q. We have the result by unfolding all the participants in 
S wiht rule [ eq ], so to have Q' = (jol^X-Go/xl- 

In the other direction, we have the result by folding all the participants in fP(So). 

Case 5 (commutativity and associativity). If S = S', then we have the result with rule 

[eq]. 

Lemma 2. The following holds: 

1. A;o;C hs[a!e.P0P'] \ a : p \ T *> $ ^> A; o;C h s[P] \ a : p ■ e \ T *> g' 

2. A-o-C hr[a?e.P + P'] | a : e • p | T ► £^A;o;C h r[P] | a : p | r ► Q' 

with _ ^ _ : a in 1 and 2. 
Corollary 1. 

Q U= {ale. g in) © £i U=> U= £o U 

and 

froo/ We show that 1 and 2 hold by contradiction. 
Case 1. Assume 

A;o;C h s[a!e.P®P'] | a:p \ S ► £ is derivable. 

A ; o ; C h s[P] | a : p • e | S ► is not. 
Take S = r[a?e.Q] | S', p = [], and S'% We must have the following sub-derivation for 

Q 

A;o;C^s^r:ahs[P] | a: p | r[a?e.g] | S' ► £ 
'''A;o;Chs[a!e.P] faTp] r[a?e.g] | S' ► s^r:a(e).£ (F.l) 
Consider the non-derivable judgement for Q' 

_L 

A; o;C<* ^ r : a h s[P] \ a : p \ r[ale.Q] \ S' ► Q' 
[PI A;o;Chs[P] | a:e \ r{ale.Q] \ S' ► * ^ r : a(e).£o (F.2) 
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Where the rule [p] must be applicable here, since the only difference with the above 
system is C< * — > r : a which is defined since _ — > _ : a £ C. 
We have a contradiction here since 

s[P]\a:p \ r[a?e.g] | S' is derivable in (F.l). 

while 

s[P] \a:p\ r[a?e.g] | S' is not derivable in (F.2). 

Case 2. Assume 

A; o;C hr[a?e.P+P'] | a: e-p | S ► £ is derivable. 

A;o;C hr[P] | a:p | S ► is not. 
Take S such that 5^. We must have the following sub-derivation for Q 



A;o;C<*^r:a\-r[P} \a:p\S> Qq 
[Pl A;o;C hr[a?e.P] | a:ef> \ S ► * -> r : a(e).g Q (F.3) 

This induces a contradiction since we would have the following for Q' 

_L 

[Pl 7 

A;o;Chr[P] | a : p \ S > Qq (F.4) 
Note that the lack of * -> r : a in C does not affect since _ -> _ : a ^ C. 

G Proofs for Theorem 5 (Progress) 

If A;o;C hS ► ^ then 5 — ► S', or Vn e fP(5) .5(n) = 0, ov S 

Proof. The proof is by contradiction. If we had A ; F;C\- S > Q and S => 5', with 5' # 
5' 7^ and 3n e fP(S') : 5'(n) 7^ 0. By Theorem 4, we should have A ; T; C h 5' ► 
Let us take 5' = n[a!e.P] | S" (with 5'$). No rule from Fig. 2 is applicable for this 
process, and therefore S' is not typable. 

H Proofs for Theorem 6 (Safety) 

If A ; o ; C h 5 ► (7, then 5 is race free and 5 =>■ — >• error is not possible. 

Proof. No error. The proof is by contradiction. Assume we have A ; F ; C h 5 ► (7 and 
5 5' with 

5' = a: e-p | r[a?e'.Q] | 5" and e ^ e' 

so that S — > error. By Theorem 4, we should have A ; F; C h 5' ► (7', however, no 
rule is applicable for S'. Indeed we have 5^, but e 7^ e'. 
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No Race. Straightforward by contradiction with Theorem 4, the following is not typable 

5' = n[a?e.P] | m[a?e.e] | S" 

due to the condition on C, the premise in [.], and the fact that the set of channels 
must be disjoint in concurrent branches. The other case (i.e. two sends) is similar. 

Lemma 3. If A ;T;C h S ► Q, then, Vs^r:aeF P (^) : , either 

3!{s,r}e2>(S) : a <= R(5(s)) and a e R(5(r)) or 3!(r,a) G ^P(S) x C(S) : o€R(5(s)) 

Proof. By straightforward induction on the derivation. Each case follows by definition 
of Fp(^), and the premise S% 

I Proofs for Lemma 1 and Theorem 7 (Equivalences) 

IfA;o;C hS ► £thenVneS. g[ n < 5(n). 

Proo/ Let fi be a binary relation on processes defined as follows 

{P,Q)&B A;T;C hS ► £ and 3n e !P(5). £ U= P and 5(n) = Q 
Let us show that B is a simulation. 

- If Q[ n — -*P\ then Q[ n = a!e.Pi ®P 2 and by Lemmas 30 and 32 we have that 5(n) = 

ale.Qi Qi and thus 5(n) Qi 

Now we have to show that (Pi ,Q\) efi, i.e. 

A;T;C\-S' ► Q' with [ n = Pj and S'(n) = Qi 

Pose 

5' = n[2i] | a: e | f] S(m) 

m/nerP(5) 

by Lemma 2, A ; T ; C h 5' ► and by Corollary 1 , we have Q' \ n =P\, as required. 

- If Q Ln^^ A then Q [ n = a7e.Pi +P2 and by Lemmas 30 and 32 we have that 

5(n) = ale.Qx + 62 and thus 5(n) <2i 
Now we have to show that (Pi , Q\) E B, i.e. 

A ; T ; C h 5' ► Q' with £' t n = Pi and S'(n) = Q x 

Pose 

S = n[a?e.ei+e 2 ] I a:e p | F] S(m) 

and 

5' = n[Qi] I a : p I Jl 5 ( m ) 
by Lemma 2, A ; T ; C h S' ► and by Corollary 1 , we have Q' [ n = Pi , as required. 
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- If Q Ln — > P\ then Q [ n = and Pi = 0, thus n ^ and by Lemma 27 this means 
that 5(n) = 0, we then have 5(n) -A 0. 

Lemma 4. The following holds: 

1. //A;T;C hn[a!e.P0P'] | S ► Q then Q[ n = a\e.Q@Q' 

2. IfA;T;C h n[a?e.P+P'] | S ► Q then either Q [ n = ale.Q + Q ', or A;T;C h 
n[P'] | S ► Q 

Proof. The proof of 1 is by Lemma 26, and the proof of 2 is by Lemma 26 and rule [+]. 

If A ; o ; C h 5 ► £ then rLe£P(S) n[£ U] « 5. 

Proo/ For this proof we pose T = Umeng) m t£ W I ILec^) fo : £ U- 
5 sends. Assume 5 = So | Si, So n ^—$ and Si We have 

5 = n[a!e.P0P'] | a : p | S" (1.1) 

and 

S' = n[P] | a : p • e | 5" (1.2) 

By Lemma 4, Q [ n = ale.QQ) Q' , thus Q U~~^> an d by Lemma 34 Q [ a = p. 
We then have (note that a € C(Cj)) 

T = n[a\e.Q®Q'] | a:p | J] m[£L] I ]1 (L3) 

m^nev(g) b^aec(g) 

and by definition of — >, 

T' = n[Q] | a: p-e | J] m l£U | ]1 £U (1.4) 

Let us now show that 

A;T;ChS' ► £'withr'= Jl m [£'Lm] I 11 * : £'L* (J-5) 

mefP(£') b€C(£') 

By Lemma 2 we know that A ; T ; C h 5' ► we have that |. n = 2, by Corollary 1 , 
and U= p • e by Lemma 34. 

P sends. Assume P ee P | P 1? P ^ and Pi We have 

P = n[a!e.e®e'] | a:p | J] m[£L] I ]1 d-6) 

and 

T' = n[Q] | a : p • e | J] m[£L] I ]1 ( L7 > 
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By Lemma 1, we have 5(n) ^4, and since, by Lemma 28, a e C(Q) => a e C(S), 
there is a queue a in S. Note that a queue a can always make a transition a : p' 
(regardless of p')- By Lemma 34, S(a) = p. 

Therefore, we must have 

S = n[a\e.P(£P'] \ a : p \ S" (1.8) 
And by definition of — >, we have 

5' = n[P] | a : p • e | S" (1.9) 

Finally, we have 

A;T;ChS' ► £' with r' = n m [£'Lm] I fl * : £'L* ( L1 °) 

m€i>(£') bEC(g') 

by Lemma 2. 

n[c[?e] e-a 

S receives. Assume 5 = So \ Si, So — > and 5i — >. We have 

S = n[ale.P + P , ]\a:e-p\S" (1.11) 

and 

S' = n[P] \a:p\S" (1.12) 
By Lemma 4 and (1. 1 1), we have either 

gU=a?e.Q + Q' (1.13) 

or 

A;T;C h n[P'] | a: e-p \ S" > Q (1.14) 

However, by assumption we have A;F;C \- S ► Q, with 5 as in (1. 11), therefore (1. 14) 
cannot hold by Lemma 5. 

By Lemma 34, we have that Q \ a —^ and by (1. 13), Q U"~~^- By definition of — >, 
we have 

T = n[a?e.Q(SQ'} | a: e-p | J] m t£UI 11 b '-^ (1.15) 

^neT(Q) b^aeC(Q) 

Let us now show that 

A;r ; chS' ► £'withr' = n m [£'lm] I 11 ( L16 > 

By Lemma 2 we know that A ; F ; C h 5' ► (7', we have that (7' |. n = g, by Corollary 1 , 
and Q' \ a = e • p by Lemma 34. 

T receives. Assume T = T | T U T Q and 7i — >. We have 

r = n[a?e.e®e'] I a: e-p I J] m[£L] I ]1 ( L17 > 

and 

7" = n[Q] I a : p I J] m I^W I 11 b: Q^ (1.18) 
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By Lemma 1, we have 5(n) -^4-, and by Lemma 34, we have S(a) = p, therefore 

5 = n[a?e.P + P'] | a: e-p | S" (1.19) 

and 

S = n[P] | a : p | S" (1.20) 

We now have to show that 

A;F;ChS' ► £' with T' = J] m[g'U] | ]1 ( L21 > 

as before, we have Q' [ n = P by Corollary 1 and Q' \ a = p by Lemma 34. 
End. If S -A S, then 5 = and Q = 0, and vice versa if T T. 

Lemma 5. If 

A;Y;C hr[a?e.P + P'] | a:e p \ S ► Q 

is derivable then 

A;Y;C h r[P'] | a: e-p | 5 ► Q' 

is not derivable. 

Proof. Assume P' = ble.P". We show that we must have 

g=(*^r:a(e).g Q I Q\)\Ql 
and the derivation of Q must have the following form 



Aq;o;C hr[P ] | a : po | 5 00 ► go 

Ao; o ; C h r[a?e.Po] | a : e • po | Soo ► * — > r : a(e).Qo 
A ;o;C hr[a?e.P +Po] | a : e • p | Soo ► * -> r : a(e).£ 



Ai;o;Cr-S i ► gi _ 

[ " A;o;Chr[a?e.P +P^] | a:e-p | S ► *^r:a(e).g | Q x Q 2 
[;I ' A;Y;C hr[a?e.P + P'] | a:e p \ S ► g 

where we must have 

- SX or g[ = g 2 = and or S i = 0. 

- split(S) = (r[a?e.Po + P()] I a:e 'Po | So, _) (the second part of the split does not 
matter) 

- b R(S) (by Lemma 7) 

- Ao n Ai =0 and b £ A2 because of rules [ | ] and [+] 
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Now let us discuss a derivation for Q 1 . Since we have b £ R(S), we must have 
split (r[P'] | a:ep \ S) = (S l ,S 2 ) such that 5 x (r) = P', and Si (a) = e • p, if the split 
does exist. If it does, we have x ¥; © h r [P'] | a : e • p | S o i2 such that V7V e * . r g iV. 
Therefore, the split for the rest of the system is the same as in the other derivation. 

Again, we can divide the system using [ | ] if need be such that we get 

A ; o ; C h r[P^] | a : e • p | Sqq ► * ->■ r : a(e) . Qo 

with Soo^ therefore no rule is applicable for this judgement, and the derivation does not 
exist. 

Lemma 6. Let S a system such S% and a,b £ R(5) the following is not derivable 

T = Sl [a!e.Pi] | s 2 [b\e'.P 2 ] \ r[ale.Q + ble '.£)'} \ S 

Proof. We show this by contradiction. Given T as above, the only rule applicable is 
[+] on r either selecting the branch on a or on b. Therefore, the following should be 
derivable 



A;T;C h s^Pi] | s 2 [fc!e'.P 2 ] | r[g] \ S ► Q 
l] A;T;C h Sl [a!e.Pi] | s 2 [b\e' .P 2 ] | r[a?e.g] | S ► Sl r : a{e).Q 
1+1 ~ A;T;Chr ► s 1 ^r:a(e).£ 

and, we must have a,fr e A and s t [p] | r[g] | And the other derivation as the form: 



A;r;Ch Sl [ a !e.Pi] | s 2 [P 2 ] | r[g] \ S>Q 

" A;T;C h Sl [a!e.Pi] | s 2 [fc!e'.P 2 ] | r[fc?e'.g'] | S ► s 2 -> r : b{e').Q' 
[+] A;T;C hT ► s 2 -> r : b(e').g' 

where wehavea,foeA and s 2 [P 2 ] | r[Q] \ S$. However, this is clearly in contradiction 
with Theorem 2, i.e. 

sj -)• r : a(e).g^ s 2 ->• r : b{e').Q' 
Lemma 7. Lef 5 a system such S% and a,b £ R(S) f/ze following is not derivable 

T= Si[a!e.Pi] | fe: e'-p | r[a?e.£ + fc?e'.<2'] | 5 
Proo/ The proof is similar to the one of Lemma 7 where b : e' • p replaces s 2 [fr!e'.P 2 ]. 

J Proofs for Theorem 8 (Completeness wrt Q) 

If • h ^ and Q is projectable, then there is Q' = Q such that A ; T ; C h fLe-p^) [ n 
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Proof. By Lemma 8, with P = (P(g) and T = o since Q is closed by assumption. 

Lemma 8. Let Proj(^,P) =IlnG/ >n [^Ln] with'P(Q) CP, andif g[ n =0, thennisnot 
in P. 

IfCVQ, § is projectable, and \f% e fv(Q) . Vn e P • 3 (n, %) : % e T then 
C{Q);T;C hProj(£,P) ► Q' with Q = Q' 
Proof. We show this by induction on the structure of Q. Let 

s^WQW II A = c(g) 

g = s ^ r : a(e).g + Q\. 

By definition of projection, we have 

S=s[a!e.£oU©£lU] | r[ale.g Q { s + g x [ s ] \ S {s , r} 

We can apply rules [e], [+] (twice) and [.] in order to have the result, i.e. 

bylH 

A-T-Cg h s[g [ a ] I r[g6U] | S {s , r} ► go bylH 
11 A;r;Chs[a!e.gbU] I r[a?e.gbt,] | 5 {s . r} ► g A; T; C h Proj(fr,P) ► gj 

,\ : I : f S ► (/ 

with g' = s — > r : a(e).go, and C a = s — > r : a note that the later is defined by 
C\-g. Observe that S{ s , r } ^otherwise that would mean that 3 s' — » r' : e R(^o) suc h 
that {s, r} n {s', r'} = which is in contradiction with C VQ. Finally, it is obvious that 

aeA and R(£L r )CA ;'e{0,l} 

since A = C(Q). 

Q^Q« I Qi. 

We have S of the form, by definition of projections (and well-formedness) 
S = Proj(£ ,Po) | Proj(£i,Pi) withP nPi =0 
Note that since #(F (g)) > 1, we have f v(g) = 0, therefore, by IH, we have 
A,; o; C h Proj (Q U P) ► g[ and g, = g[ and A, = C(#) 
We have the result by applying rule [ | ]: 

by IH by IH 

Ao;o;ChProj(£ ,Po) ► Q x A x ; o ; C h Proj (Qi,Pi) > Q\ 
AiUA 2 ;r;C h5 ► g 

By well-formedness we have, Aq n Ai =0, and Lemmas 28 and 28 guarantee that each 
A,- is large enough. 
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By definition of projections, we have 

S=n4"X-£'Ln] 

nG/> 

Since Q' is prefix-guarded, there must be s,r e such that 

s^'Ls] I r^Z.^'Ut 
Therefore, rule m is applicable here 

A-X;Chs[Q'{ B ] | r[^'Lr] I EI n [£'L»] ► £' 

neP\{s,r} 

AirTcFstuz^u] |r^X-£'U] |5 {s ,r} ► £ 

where 

r v =r-(s,x):z),(r,x):Z-r s and F s such that Vn e fP(S {s , r} ).r(n,x) = X 

The rest follows by induction hypothesis. 
Q = %. Then, we have 

By assumption, we have Vn e P.3(n,%) : x € T, hence we can apply rule [x] and we 
are done. 

Q = Q§;Q\. Then we have 

5=n^0ln[^lU/0] 

nEP 

Let us show that split (S) — (So, Si) and 

5 =n^oU=Proj(^ , J P) and Si = Q x U= Proj (ft.P) 

Since {7 is well-formed, we have *P; © h 5 o £2 coherent if we pose 

¥={Ar|AreF P (£o)} and © = {{s, r}|s -> r : a e R(£i)} 
For each Qi a top level concurrent branch of Qq, we have that 

{${&)}; hProj(£,!P(£)) o«« 
is derivable by Lemma 15, since Proj is typable by IH. In addition, we have 

#L=n<(n)[o/e]. 

By construction, we have 

^';© h Proj(£ ,P) = ^' withVneP.£2'(n) =e 
with 1" = {JV'iaJV e>P:iV'CJV}. 
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Finally, we have Vn <E P.S(n) %£2(n) ^ _L since the same suffix Q\ [ n is added to 
each branch of a behaviour, and S(n) %i2(n) = Q\ |. n . We have the required result by IH 
and rule [;]. 

We have 

neP 

and the results holds by rule [0]. 

K Accessory Results 
K.l Linearity 

Lemma 9. IfC^ s — > r : a « defined, then either 

1. _^_:a^C, 

s — > r : a 

2. C(_^_:a)= | 

c 

* — > r : a 

3. C(_^ _: a) = ! , or 

C 

4. 3 _ -> r : _ and _^s:_eC 

Proof. The proofs of 1 and 2 follow directly from Def. 2 and the definition of C(_). The 
proof of 3 follows by definition of C(_) and the fact that, by Def. 1, there cannot be an 
output dependency from s' — > r' : and * — > r : a since 

s — > r : b t^oq * — > r : a and s — > r' : 7^ I0 * — > r : a since s^*^r 

Therefore, * — > r : a must be the first prefix with label _ — > _ : a in C. The proof of 4 
follows from the Def. 2. In fact, since whenever the sender/receiver are different on 
two nodes with common channel there must be two dependency relation we have the 
following cases. In the following, we assume that there is no prefix on a in the ellipsis. 
If only the senders are different, i.e. the following appears on a path in C 

s — > r : a. . . s — > r : a 

then we have s' — > r : a -<n s — > r : a and we must have at least a node between the two 
such that, e.g. s' — >• r : a -< 00 s' — > s : /7 -< I0 s — >• r : a and we have the result. If only 
the receivers are different, we have 

s^r':a...s^r:a 
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and we have s— s-r':a-<oos^r:a and we must have at least one node between the 
two such that s — > r' : a < w r' — » r : b <n s — » r : a, and we have the result. If both 
sender and receiver are different, i.e. 

s — > r' : a . . . s — > r : a 

then we need two nodes ci and C2 such that, (;) ci = _ — > r : />, otherwise there would 
be a X ii relation in the input dependency, (if) C2 = _ — > s : c otherwise there would be a 
-<id relation in the output dependency (note that -< D q is only defined if the channels are 
the same). In fact, there must an input dependency, e.g. 

s' -» r' : a < 10 r' ->• Si : &i -<io Si -> s 2 : b^ -< I0 s 2 -» r : £3 -<n s -> r : a 

and an output dependency, e.g. 

s' — » r' : a -< I0 r' — > s : c -< I0 s — > r : a 

Observe that, in the first chain, we have s 2 — > r : and r' — > s : c in the second. 
Actually, the shortest (input) chain when both pair of participants are different is 

s' — > r : a -<io r' — > s : ci -< ID s — > r : C2 -<n s — > r : a 

where we also have r' — > s : ci -<iq s — > r : a, for the output chain. Notice that in this 
case we have r' — > s : ci and s — > r : C2 in C. 

Corollary 2. If linearity holds on C and * — > n : a e C, f/ien 

* — > n : a 
C(_^_:a) = I 

c 

Lemma 10. Tjf C-< * -> r : a f/zen Ch(? and //T;C^*^r:a;5l-^ ► f/zen 
r;C;Sh(?K 

Proo/ We have to show that if * — > r : a is involved in a input or output dependency, 
then there is another dependency between the same two nodes without * — >• r : a. Note 
first that by Lemma 9, we know that * — > r : a C, therefore, if there is a need to have 
a chain of the form 

* -> r : a -<_...-< s' -> r' : a 

this need disappears with * — > r : a (dependencies are needed only between nodes with 
a common channel). Thus, if * — > r : a is the first node in a dependency chain, then the 
result holds trivially. Observe that * — > r : a 7^00 s — > r' : /> and s — > r' : b 7^00 * — > r : a 
for any a, b since * 7^ s, for the same reason, we have s — > r : /> 7^10 * — > r : a. 

Finally, we have the following cases, where the left hand side describes the depen- 
dency involving a and the right hand side shows that the dependency between the two 
external nodes still exists without the node on a. 

s — > r : b -<n * — > r : a -<u s'^r:c =>■ s^r:/> -<n s' — > r : c 
s — > r : b -<n * — > r : a -< I0 r — » s' : c => s — > r : /> -< ID r — > s' : c 
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K.2 Splitting systems 
Lemma 11. 

{n,m}C®^3N^M : ne^AmeM 
Proof. Direct from rules [e] and [ax]. 

Lemma 12. If A ;T;Ch S ► Q and fjOhiiflis derivable and coherent, then 

(n,m) e © {n,m} C with N G ¥ 

Proo/ (<=) follows directly from the fact that the judgement is coherent. (=>) The proof 
is by contradiction. Assume that there is (n,m) G © with n£ff and m G M, where 
N^M e^V (assuming C(£2(n)) n C(£2(m)) 7^ 0, without loss of generality). 
Let us consider the following judgement: 

V'-N-M;® h n[a!e.Pi] | m[a?e.P 2 ] | S' o Q.' ■ n : a!e.7t • m : a?e.(p 

Note that rule [e] is not applicable here since we do not have n : e and m : e. Looking 
at the rules we see that only two applications of [sync] would introduce n : ale.n and 
m : a?e.(p. 

For this rule to be applicable we must have S' = n'[ale.P$] | m'fale.fy | S", and 
n' A.m' M. 

By definition of split and since rule ; must be applied for A ; F; C h S ► (7 to 
hold, we should be able to derive 

A;r;Chn[fl!e.gi] | m[a?e.e 2 ] | *![ale.Qi] I m'[a\e.Q 4 ] | S" ► Q 

However, this is not derivable due to the obvious race on channel a\ 

Lemma 13. If 

split (r[P] I a : p | T) = {S' ,S[) such that S' (t) = P and S' (a) = p 
then 

split(r[a?e.P] I a : ep | T) = (So, Si) such that Sq(t) = ale.Po and So(a) = e-p 

In addition, Vn G <P(T) : 5 ( (n) = S'^Jor i G {0, 1}. 

Proof. Straightforward (runtime rule) 

Lemma 14. If A; T; C h s[a!e.P©P'] | a : p | T ► £ an d 

split(s[a!e.P©P'] I a : p I T) = (S U S 2 ) 

such that 

Si(s)=a!e.P Q (S)P' and Si(a)=p 

then we have 

split(s[P] I a : p-e | T) = (S[,S' 2 ) suchthat S[(s) = P and S[(a) = p-e 
WVn^s G 2(S).Si(n)=S[(n) and 5 2 (n) = S' 2 (n), ditto Va G C(S). 
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Proof. We must have a judgement of the form 

*P;© h s[a!e.P®P'] | a:p \ T o i2 • s : fl!e.P ©^o • r : fl?e.go©Go ' a : P 

Since the system is derivable, we have to use [q] until the queue is empty (otherwise 
linearity would not be preserved). Then only use [sync] to remove the send on a, therefore 
both p and the send should be on the same part of the split. After reduction, we have 
the following judgement 

*P;© h e[P] | a:p e | T o £2 ■ s : P ■ r : a?e.g ©2o -a : P ■ e 

Since r was able to receive e from s before, it must be able to receive it from the queue 
as well (note that there is not restriction on wrt VP with action on queues). 

Lemma 15. If A; T; C h S ► Q then {T{S)}\ h 5 o £2 and «(n)[0/e] = 5(n). 

Proof. Straightforward induction on the derivation of {fP(5)}; © h 5 =c= £2. Note that 
for each rule of the split, there is a rule in the inference system, whose premises are 
always weaker. Also, [e] is not applicable (since ® is empty) and £2 keeps track of 
everything that happens (module the branches which are not taken). 

Lemma 16. If A; T; C h S ► Q and*?; © h 5 o £2 is coherent, thenM^' ,® ,D! such 
that 0' h 5 o Q' is coherent: V = © = ©' an J a = ii'. 

Proo/ First, recall that by Lemma 12: 

(n,m)e© <S=^> {n,m} CiV withA'e »P 

We first show that VP (such that the split is coherent) is unique. Note that because of 
condition (4.2) and the fact that A ; F; C h 5 ► ^, it is not possible to have a coherent 
judgement with VP' like *P except for two sets in *P being merged (subdivided) in VP'. 
Indeed, the number of interacting pairs of participants is fixed in S. The only changes 
one can do in *P are as follows 

1. Add n in N e vp (with n not in VP). 

2. Remove n in e *P (with n in VP). 

3. Permute n e N e *P with m e M e VP. 

We now show that any of these changes makes the judgement not coherent. 

Case 1 . Assume VP = N • VP and VP' = {n} U N • VP . This means that Q.' (n) ^ and 
£2'(n) 7^ e (otherwise © would not be total on {n} UAO, and £2(n) = 0, or Q(n) = e, or 
n only received from queues. This means that n interact with participants in ii' but not 
in i2, which means that at some point in the derivation of Q. we have n[_] | So^ while 
we have n[_] | So§ in the derivation for £2' . However, since Q is typable, there cannot 
be races in the systems and therefore, the interaction between pair of participants must 
be the same in both derivations of £2 and £2'. 

Case 2. Assume that vp = {n} U N • VPo and VP' = N • VPo, the case is similar to the 
previous one, we have that at some point in the derivation of £2' we have n[_] | So $ 
while we have n[_] | SqX in the derivation for £2. 
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Case 3. Assume that *P = {m} U N • {n} UM • ¥ and W = {n} U N • {m} UM- ^o- 
We know that 

Vn / eAf.<:(i2(n / ))n(:(i2(in)) = and Vm' e M. C(Q(m')) n C(£2(n)) = 

since the original judgement is coherent and the system typable. This implies that we 
cannot have © total neither on {n}UJV nor on {m} UM. Therefore the judgement is not 
coherent. 

We now consider the changes that one can make on £1. Note that changes on Q 
must be done on pairs of participants since they always interact by pair (except for 
those which interact only with queues but that has no effect on VP or 0). 

1. There is n 1; n 2 such that i2(ni) is a prefix of ^'(rii). A pair of elements in Q! can 
only be longer if one merges two in *P, which is possible (see above). 

2. There is n 1 ,n 2 such that Q'(ni) is a prefix of il^). A pair of elements in Of can 
only be shorter if two a set in *P is subdivided into two sets which is not allowed 
either. 

We consider changes that can be made on ©: 

1. Add {n,m} to 0, then, that pair will not allow the derivation to reach the axiom, 
unless sets in *P are sub-divided, which is not possible. 

2. Remove {n,m} from ©, then, there will be a pair missing to reach the axiom (plus 
<^0 might not be total any more); unless two sets in *P are merged, but this is not 
possible. 

3. Permutation in © would only possible if one could permute participants in sets of 
VP which, by above, is not possible. 

K.3 Others 

Lemma 17. If Q ^ Q$ \ Q\ and • \-Q then Rg is total on T(Q). 
Proof. We show this by induction on the structure of Q. 

g = s^z: a{e).Q'. By definition (s,r) e Rg and by WlRgi is total on Since 
Q is well-formed we have 

Vii! -m 2 : _eR(£')-{rii> n 2}n{s,r} 

Thus there is (s,n ± ) G Rg or (r,^) e Rg and we have the required result by definition 
oiRg andDef. 1. 

Q = Cjo + Q\. By IH, Rg f is total on < S{_Qi) for i e {0, 1}. Since Q is well-formed we 
have 

V s -> r : a e R(^).V s -)• r' : b e R( Q') . s = s' A a ^ b 

i.e. s — s' e Qi, and we have the required result by definition of Rg and Def. 1. 

Q = s — > r : a(e).(Qo \ Q\). By IH Rg f is total on ^P{Qi). Since Q is well-formed we 
must have s e &{Cfi) and r G ^{Qj) with i ^ j £ {0, 1}. We have the required result 
since we have (s,r) € Rg by definition of Rg and Def. 1. 
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Q = Qq ; Q\. Observe that by IH and by definition of F P , we have that V7V G F P (^,) .Rg. 
is total on N, with i G {0, 1}. 

Since the projection is defined as Q |. n = (70 U \Q\ U/0], we have that 

VN xJV, C Fp(^o) x F P (£i) : /^istotalonA'oLWi if there is n G N f~Wi 

Since Rg is a transitive relation, let us define a transitive relation on the intersection of 
sets of participants from Q§ and Q\ : 

(No,Ni) G W 

Afc fWi 7^ or 3 (M ,Mi) : (AT ,Afi) G W and (Af ,#i) G W 
It is easy to see that Rg is total on any Nq UNi whenever (No,N\ ) G W, thus 

Rg is total on (J jVoLWi 

(A r ,A'l)GW 

Let us show that 

{N Q ,Ni) G Fp(^o) x Fp(^) => (Afo.M) G W 
Since ^ is well-formed we have 

Vs->r:_eR(£i).3tfi ^AT 2 G F (£ ) .s G Aft Ar G N 2 (K.l) 

and 

G F P (£o) -3AT' G F P (£i) .ATW' 7^ (K.2) 
Therefore, by (K. 1) and the fact that s ->• r : _ G R( £1 ) { s, r } C A/ G F P ( £x ), we have 

VA^i GF P (^ 1 ).3A r o^A'oGFp(^o) : N n Aft ^ and N* n Ni ^ (K.3) 
By (K.2), we have 

VA^o G Fp(^o) -3Aft G Fp(£x) : No(lN\ ^ (K.4) 

Now assume that there is (N ,Ni) G F P (£ ) x F P (£i) such that (A/ ,Aft) W, this is 
contradiction with (K.3) and (K.4). 

g=n%.g. By ih 

Other cases. The cases where Q = or Q = % are trivial. 
Lemma 18. TfA ;T;C hS ► one/ • \-Q then the following holds 

VnGfP(S) : C(S(n))CC(gU) 
Proof. Straightforward induction on the validation rules. 

Lemma 19. If A ; T; C h 5 ► £ one/ is fofaZ on f/zm # s is tofa/ on fP(5). 

Proo/ By Lemmas 17 and 18 and the definition of R$. 
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Lemma 20. //• \-g then VN e F (£) . Rg is total on N. 
Proof. By Lemma 17 and the definition of F . 

Lemma 21. If A ; T; C h S ► Qq ; £i, C h£ , *P; © I" S o is coherent, and split (5) 7^ 
_L f/zen 

Vn,m e fP(5) : (n,m) G (n,m) € © 

Proo/ Straightforward by definitions of Rg Q and ©. Note that external choice branches 
which do not appear in D. do not appear in Qq either. 

Lemma 22. Ifbv(S) ^ then split(S) = _L. 

Proof. If bv(S) 7^ 0, we must have 

S = n[P] I 5' where a/x.P' is a suffix of P 

The result follows from the fact that there is no rule in Fig. 3 which "removes" recur- 
sive definition. Therefore, it not possible to derive a split whenever there is a recursion 
definition in the system to be split. 

Lemma 23. IfA;T;C\-S > n%Q and% e fv(£) then #(F (£)) = 1. 

Proof. The proof follows from the fact that the context T is emptied each time the rule 
[ I ] is used in the derivation (this rule is the only one introducing concurrent branches). 
In addition, for the axiom [x] to be used in the derivation one must have (_, _) : % e T. 
Therefore, the only way one could have #(F (^)) > 1 (i.e. at least two concurrent 
branches in Q) is if % does not appear in Q. 

Lemma 24. If A ; T; C h S ► Q and bv(5) = then bv(£) = 

Proo/ By straightforward induction on the rules of Fig. 2. 

Lemma 25. IfC h Q then •\-Q 

Proof. This follows from the fact that •< C is always defined. 

Lemma 26. If A ; T; C h 5 ► Q and Q is well-formed 

g = ((n^m:a(e).g l + g 2 ) \ Q i );Q A <^ S = n[a!e.P®P'] | m[a?e.e + e'] | 5' 

Prao/ (=>) Assume that 

A-Y-C hS ► ((n^m:a(e).^i + ^2) | £3); £4 

is derivable. We show that either a rule introducing the corresponding operator is appli- 
cable or that an equivalent Q can be inferred. 
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- If A ; T; C h 5 ► (7' ; §4 is derivable then we have either split (5) = _L then Q\ = 0, 
thus 

A;Y;C^S> Q' 
or split (5) 7^ _L, in this case, we must have 

split(S) = (Si,S' 1 ) 

with 

A;o;Ch5i^^' and A; o ; 1{Q') h 5i ► £4 

- Assume = | §3, if A ; T; Ci h Si ► is derivable then we must have either 
Si = S 2 I 53, A = Ai UA 2 , and Ai nA 2 = such that 

Ai;o;C\-S 2 > Q" and A 2 ; o ; C h S3 ► £3 

are derivable, or S3 = and (73 = 0. 

- Assume Q" = Q'" + §2, we must have either 

5 2 =n[P ePo] I S 4 (K.5) 

and 

Ai;o;Chn[P ] | S 4 ► §"' and A l ; o ; C h h[Pq] I S 4 ► £ 2 

are derivable, or Pq = and £72 = 0. 

- Assume Q'" =n->m:a{e).^i,we must have 

P = a!e.P and S 4 = m[a?e.g + e'] | S' (K.6) 

and 

A 1 ;o;Chn[P / ] | m[a?e.<2 + <2'] | 5' ► £1 

derivable. 

Putting (K.5) and (K.6) together, we have that 

5 = n[a!e.P®P'] | m[a?e.e + e'] | S' 

(<=) Assume 

A;T;C hn[a!e.P®P'] \m[a?e.Q + Q'} \ S' ► Q (K.7) 

We show that either a rule introducing the corresponding operator is applicable or that 
an equivalent Q can be inferred. 

- Either split (S) = _L in which case Q = Q' ;0 or 

split (5) = (Si,S[) 

and we must have C74 ^ and 

A;T;C h5i ► Q 

with 

5i(n)=a!e.P ©Po and Si(m) =a?e.go + 2o and Si(n)=Pi and 5i(m) = 
such that 

fl!e.P®P'=(fl!e.P ©Po)[Pi/0] and ^e.g + g' = (a?e.e + eo)[ei/0] 
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- Either there is 

S = n[a\e.P Q (SPo} | m[a?e.Qo + Go] \ Si \ S 2 
g' = Q" | g 3 and A =Ai UA 2 , and Aj HA 2 = 

Ai;o;C hn[a!e.P ®P^] | m[a?e.e + eo] | 5i ► ^" and A 2 ;o;ChS 2 

where S\ $ (this is a sound assumption, since one could apply [ ;] and [ | ] as many 
times as necessary to obtain this), or (73 = 0. 

- Either there is Q" = Q m + g 2 such that 

A;o;Ci hn[a!e.P ] | m[al e .Q + Q' ] \ Si ► 

and 

A;o;Ci hn[P'] | m[a?e.2 + Go] I Si ► £2 

or (72 = 0. 

- For 

A;o;Ci hn[a!e.P] | m[a?e.g + e'] | Si ► Q 1 " 
to be derivable, we must have g'" = n — > m : a(e)gi. 
Putting all the pieces together, we have the required result. 
Lemma 27. If A; Y;C\- S >■ g then 

Vne ¥(S).S(n) ^0 : n e ${S) n€fP(£) 

and 

Vne P(S).S(n) = n^2>(£) 

Proo/ Straightforward. 

Lemma 28. //A ; T; C h 5 ► Q then C{g) C <7(S). 
Proo/ Straightforward induction on the derivation. 
Lemma 29. //A ; T; C h 5 ► g then C{S) C A. 
Proo/ Straightforward induction on the derivation. 
Lemma 30. 7f {7 is well-formed and projectable then 

- if g U= fl!e.P0g f/ien f/zere is a branch of g such that the first prefix on n is 
n — > m : a{e). 

- if g U= fl?e.P + g f/zen f/?ere /s a branch of g such that the first prefix on n is 
m — > n : a(e). 

Proof. By definition of Projection. 
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Lemma 31. If A ; F; C h S \ a : e • p ► Q is derivable then for each branch in Q the 
first prefix on a is * — >• n : a(e). 

Proof. Follows from the fact that for a common channel, [p] must be used before [.] (see 
Lemma 2). 

Lemma 32. If A ; T; C h S ► Q and there is a branch in Q such that n — > m : a(e) is 
the first prefix on in(resp. m), then 5(n) = a\e.PQ)P' (resp. S(m) — ale.Q + Q). 

Proof. Straightforward. 

Lemma 33. If ±v(S) = 0, and S — > S', then fv(S') = 0, i.e. reduction of systems 
preserves closeness. 

Proof. Follows directly from the semantics of the calculus. 
Lemma 34. IfaeC(Q) then 

A;T;Chfl:p | S *■ Q then Q[ a =p 

In addition, a C{Q) =>■ p = []• 
Proo/ Follows from rules [p] and [0]. 
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